The majority of the applications scanned by Veracode's cloud-based software testing tool had some kind of security flaw, such as SQL injection or cross-site scripting.

Developers
need to be trained to think about security while building applications, and
security testing needs to be part of the development lifecycle, Veracode said
in its semi-annual software security report.
More than 80
percent of approximately 10,000 applications examined in Veracode's fourth
"State of Software Security" report failed security testing on their
first attempt, Veracode said Dec. 7. Just 16 percent of applications received a
passing security grade on the first attempt, compared with the 42 percent that
passed on the first try in the previous report, released in April.

The dramatic
drop is most likely the result of "more stringent criteria" for
passing the security test, as Veracode had instituted a "zero-tolerance
policy" for cross-site scripting and SQL injection flaws. Considered to be
the "low-hanging fruit" because they are fairly easy for attackers to
exploit, these two types of vulnerabilities were among the top 25 Web vulnerabilities as identified by the
SANS Institute earlier this year. Malicious perpetrators can gain access to
customer data and intellectual property via SQL injection and XSS attacks, as
was amply demonstrated in various Web attacks this year.

"With the
majority of recently reported breaches caused by attackers exploiting
weaknesses in Web applications or desktop software, often taking advantage of
common XSS or SQL Injection flaws, we decided it was time to become even more
stringent to reflect the realities of the threat landscape and raise the bar on
what should be deemed secure software," said Chris Wysopal, founder, CISO
and CTO of Veracode.
Veracode found
that 68 percent of all Web applications tested had at least one XSS flaw and 32
percent had SQL injection holes.
The report
also examined the security quality of government Web applications against other
industries and found continued problems in government applications. Approximately
40 percent of government Websites contained SQL injection vulnerabilities the
first time they were tested, compared with 29 percent for Websites for firms in
the financial sector and 30 percent for the software vertical, according to the
report. About 75 percent of the government Websites tested by Veracode had XSS
flaws the first time they were tested, compared with 67 percent of finance
sites containing at least one XSS flaw and 55 percent of software industry
Websites.

For the first
time, Veracode also examined Android applications in its report because
organizations have to think about mobile-security risks as more employees use
personal devices to access corporate resources. Mobile developers tend to make
similar mistakes to enterprise developers, and they were sloppy when
implementing encryption in the applications, Veracode found. More than 40
percent of Android applications that failed initial testing had at least one
instance of cryptographic keys hard-coded into the application, Veracode found.
"The
problem is, once these keys are compromised, any security mechanisms that
depend on the secrecy of the keys are then rendered ineffective," Veracode
said.
Veracode also
found that remote-code-execution vulnerabilities and bugs that open backdoors
were "far more" prevalent in commercial software. Organizations
buying commercial software should explicitly test for these issues beforehand,
Veracode recommended.
The applications
included in the report were submitted to Veracode's cloud-based
application-security-testing platform over the past 18 months. The number of
applications tested in Volume 4 was more than double the number tested in
Volume 3, according to Veracode.
One of the
goals of the report is to show how regular testing during development and time
spent training developers can result in more secure code, Veracode said.
Organizations can integrate security testing within the coding process to
identify basic errors with "minimal impact" on development
lifecycles. More than 80 percent of applications that failed to initially pass
Veracode's security audit were resubmitted and passed with an acceptable grade
within one week, according to Veracode.